Introduction
This Quick view provides an overview of the UK’s cybersecurity landscape and highlights the significant costs of getting it wrong. It summarises the key cyber security laws in the UK, provides quick links to regulatory guidance and outlines the sanctions for non-compliance. It is aimed at private practice, in-house lawyers and compliance teams to support them when advising clients and internal teams on cybersecurity strategy, risk management and good corporate governance.
This Quick view covers:
- The legislative framework
- Regulatory guidance and codes of practice
- Sanctions for non-compliance
This Quick view can be used in conjunction with the following How-to guide: How to manage cybersecurity risk and compliance.
1. The legislative framework
Cyberattacks are growing in both sophistication and frequency, posing significant risks to organisations and individuals alike. According to the 2025 Cyber security breaches survey produced by the Department for Science, Innovation & Technology (DSIT) and the Home Office, 43 per cent of businesses and 30 per cent of charities experienced a cyber security breach or attack in the past year. For legal and compliance teams, this is a clear signal that robust cybersecurity governance is no longer optional – it is a strategic, commercial and operational imperative. Effectively managing and mitigating these threats requires a clear understanding of the UK’s cybersecurity landscape and the risks of getting it wrong.
1.1 Key legislation
1.1.1 Computer Misuse Act 1990
The Computer Misuse Act 1990 (the CMA) (as amended) remains the UK’s primary legislation for tackling cybercrime. It criminalises unauthorised access to computer systems and data – such as hacking – and extends to offences involving the intent to commit further crimes using that access. The CMA also covers the unauthorised modification, deletion or ransom of data, as well as the creation and distribution of malicious software. Section 3 of the Investigatory Powers Act 2016 complements the CMA by criminalising the unlawful interception of communications and establishes a framework for authorised surveillance, granting specific powers to designated authorities such as law enforcement agencies and intelligence services.
1.1.2 Data protection regulation
UK General Data Protection Regulation
When the UK left the EU, it retained Regulation (EU) 2016/679 – General Data Protection Regulation (EU GDPR) (as defined below) in domestic law as the UK General Data Protection Regulation (UK GDPR). The UK GDPR imposes strict obligations on organisations to manage data protection risks and governs how organisations use or process personal data to uphold individuals’ privacy rights.
Organisations must implement appropriate technical and organisational measures to ensure the security of personal data and respond effectively to personal data breaches. Compliance is context-dependant, shaped by an organisation’s specific circumstances, the nature of the personal data processed and associated risks.
The UK GDPR requires data controllers to notify personal data breaches that pose a high risk to individuals’ rights and freedoms. This must be reported to the Information Commissioner’s Office (ICO) (the supervisory authority for data protection in the UK) within 72 hours of becoming aware of such data breach. These high-risk breaches (such as the exposure of sensitive personal data like medical files or financial information) also require prompt notifications without undue delay to affected individuals. See How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.
The UK GDPR also has extra-territorial reach, applying to non-UK entities offering goods or services to, or monitoring the behaviour of, individuals in the UK. In such cases, the appointment of a UK representative as a point of contact for individuals and the ICO may be required.
Data Protection Act 2018
The Data Protection Act 2018 (DPA 2018) supplements the UK GDPR and gives individuals greater control over how their personal data is collected, used and stored. It supports organisations with their lawful processing of personal data by providing a clear framework for handling personal data responsibly and gives individuals the right to know what personal data is held about them and the right to have that data erased. It also enhances the regulatory powers of the ICO enabling it to issue enforcement notices, impose substantial fines and conduct audits and investigations to ensure compliance.
European General Data Protection Regulation (EU GDPR)
For UK-based firms operating in or targeting the European Union (EU), the EU GDPR may or may not apply. Although the UK is no longer part of the EU, the EU GDPR may still apply to UK-based firms if they offer goods or services, or monitor the behaviour of individuals, in the EU.
Such organisations will need to familiarise themselves with the EU GDPR requirements, which may include appointing an EU representative (subject to limited exemptions) and ensuring lawful data transfers from the EU to the UK. See How-to guide: How to ensure compliance with the GDPR and Checklists: Processor due diligence (data protection and cyber security) and Making an international data transfer of personal data under the GDPR.
Network and Information Systems (NIS) Regulations 2018
The Network and Information Systems (NIS) Regulations 2018 (NIS Regulations) were introduced to transpose Directive (EU) 2016/1148 – Network and Information Systems Directive (NIS Directive) into UK law. The NIS Regulations impose cyber security and incident reporting obligations on in-scope organisations across critical infrastructure (such as healthcare, energy and utilities) and digital service providers such as online marketplaces, online search engines and cloud computing services. In-scope organisations are required to take appropriate and proportionate technical and organisational measures to manage risks posed to the security of their network and information systems on which the service relies and report incidents without delay and in any event within 72 hours to the relevant competent authority (eg, the ICO or sector-specific regulators such as Ofcom) of becoming aware of an incident which has a significant impact on service continuity.
Telecommunications (Security) Act 2021
The Telecommunications (Security) Act 2021 imposes stronger cyber security-related duties and responsibilities on public telecoms providers to secure their networks and services against cyber threats, as well as to prepare for future risks. It was introduced in response to the growing cyber threat risks arising from the telecom infrastructure and mobile networks. Ofcom, the UK’s communications regulator has been granted powers to monitor and enforce compliance with these measures. See GOV.UK press release and Ofcom, Telecoms Industry guidance (security requirements).
Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. It amends key data protection legislation, including the UK GDPR and the DPA 2018. While not yet fully in force, provisions are being introduced on a phased implementation basis. Details of the exact dates will be available on GOV.UK and explanatory notes are provided in the form of Data (Use and Access) factsheets in relation to:
- the UK GDPR and DPA;
- the ICO; and
- the PEC Regulations (Privacy and Electronic Communications Regulations 2003) relating to cookies and marketing.
Additionally, the ICO has produced specific guidance to help organisations navigate the changes.
Cyber Security and Resilience Bill
Post-Brexit, the EU adopted Directive (EU) 2022/2555 – NIS 2 Directive, which repeals and replaces the NIS Directive and expands the scope of regulated sectors, enhancing supervisory mechanisms and strengthening incident reporting. In response, the UK government has introduced the Cyber Security and Resilience Bill (the CSRB) to align where appropriate with the approach in the NIS 2 Directive – see GOV.UK policy statement and guidance. The CSRB is currently making its way through Parliament. It aims to modernise the NIS Regulations to improve the UK’s cyber security and resilience by:
- expanding the scope of regulated sectors;
- strengthening incident reporting requirements for regulated entities;
- enhancing regulatory oversight to ensure essential cybersecurity measures are being implemented; and
- providing the government greater flexibility to update the framework and respond in an agile way to changing threats, such as extending the framework to new sectors.
2. Regulatory guidance and codes of practice
The table below summarises the key regulatory and governmental guidance on cybersecurity. To assist readers, quick links have been provided to access the relevant materials in one place.
| Regulator/authority | Primary role | Useful links |
| National Cyber Security Centre (NCSC) | National cybersecurity technical lead and incident response coordination across the UK’s most critical organisations, including the wider public sector, industry, SMEs (small and medium-sized enterprises) and the public. |
|
| Information Commissioner’s Office (ICO) | Responsible for enforcing data protection laws and investigating data breaches in the public interest. Promotes transparency in public bodies while safeguarding individuals’ data privacy. |
|
| Office of Communications (Ofcom) | UK regulator for communications industries covering TV, radio, telecoms, mobiles, postal services, and wireless airwaves. Also works to make online services safer and protect users from harm. | |
| Department for Science, Innovation & Technology (DSIT) | UK government’s lead for cybersecurity and resilience, responsible for policy development, oversight incident response and breach notification. Facilitates cybersecurity information sharing at both national and international levels. |
|
3.Sanctions for non-compliance
UK regulatory authorities have been granted significant supervision and enforcement powers under the UK cybersecurity and data protection framework. The table below sets out key statutory offences, identifying the relevant legislation, maximum penalties and the enforcement agencies responsible for oversight and action.
| Legislation | Offence | Maximum penalty | Enforcement agency |
| Computer Misuse Act 1990 | Criminal based statute. Penalties vary by the nature of the offences regarding unauthorised access to computer material, impairment, or damage to computer systems. | – Up to 14 years’ imprisonment, or life imprisonment if it affects human welfare or national security and/or unlimited fines: section 3ZA (impairment causing serious damage). – Up to 10 years’ imprisonment for unauthorised acts with intent to impair operation of a computer and/or unlimited fines: section 3. – Up to five years’ imprisonment for unauthorised access with intention of committing further offences (eg, fraud or data theft) and/or unlimited fines: section 2. – Up to two years’ imprisonment for basic unauthorised access to computer material and/or unlimited fines: section 1. – Up to two years’ imprisonment and/or unlimited fines: section 3A (making/supplying articles (including software) for computer misuse. | Crown Prosecution Service (CPS) – see Computer Misuse Act. |
| UK GDPR/DPA 2018 | Breach of data protection principles or failure to secure personal data. | – Up to £17.5 million or 4 per cent of the total annual worldwide turnover in the preceding financial year, (whichever is higher) for serious breaches. – Up to £8.7 million or 2 per cent of the total annual worldwide turnover in the preceding financial year (whichever is higher) for less serious breaches. | ICO – see Penalties. |
| EU GDPR (for UK-based firms operating in the EU) | Same as above. | Reprimand, temporary or definitive ban on processing and a fine of up to 4 per cent of annual worldwide turnover or €20 million (whichever is greater), along with without notice investigations. | |
| NIS Regulations | Failure to implement appropriate and proportionate security measures, failure to notify a security incident that has a significant impact on service continuity, failure to notify the public of an incident when required to do so, failure to comply with an information/enforcement notice, failure to cooperate with, or pay for, an inspection or audit. | Information notices, enforcement notices, inspection powers and fines. Financial penalties vary depending on the severity of the breach: fines can be up to £1 million for non-material breaches, and up to £17 million for material contraventions that cause, or risk causing significant disruption to essential services. | The NIS Regulations are enforced by the relevant sector-specific regulators, as designated in Schedule 1 to the Regulations. Relevant digital service providers are regulated by the ICO. See NIS guidance for competent authorities and ICO guide to NIS enforcement. |
| Telecommunications (Security) Act 2021 | Includes failure to comply with security duties, failure to provide information or refusal to explain non-compliance with Codes of Practice or breach of specific security measures as required. | Failure to comply with security duties - up to 10 per cent of annual turnover or £100,000 per day for ongoing non-compliance. Failure to provide information or refusal to explain a failure to follow a Code of Practice – up to £10 million or £50,000 per day for ongoing non-compliance. | Ofcom is the primary enforcement agency, with the NCSC providing technical guidance. |
The true cost of a cybersecurity breach often extends well beyond regulatory and financial penalties. The consequences can be severe and far-reaching – triggering legal claims from affected individuals or organisations, causing significant operational disruption, damaging reputations and eroding stakeholder trust.
Additional resources
Related Lexology Pro content
How-to guide:
How to manage cybersecurity risk and compliance
This practical resource is derived from an MBL Seminars seminar, delivered by Robert Bond, Director at Bond & Bond Limited.
MBL, now part of Law Business Research and a sister brand to Lexology, is a leading learning and development provider for professional service firms.
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.